Wednesday, July 21, 2010

I know who your name, where you work, and live (Safari v4 & v5)

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

These fields are AutoFill’ed using data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

As shown in the proof-of-concept code (graciously hosted by Robert "RSnake" Hansen), the entire process takes mere seconds and represents a major breach in online privacy. This attack could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, and even blackmail if a user is de-anonymized while visiting objectionable online material.

Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field. Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place. What is safe to say is that this vulnerability is so brain dead simple that I assumed someone else must have publicly reported it already, but exhaustive searches and asking several colleagues turned up nothing.

I figured Apple might appreciate a vulnerability disclosure prior to public discussion, which I did on June 17, 2010 complete with technical detail. A gleeful auto-response came shortly after, to which I replied asking if Apple was already aware of the issue. I received no response after that, human or robot. I have no idea when or if Apple plans to fix the issue, or even if they are aware, but thankfully Safari users only need to disable AutoFill web forms to protect themselves.

76 comments:

What makes you think that? I use chrome and I saw some of my information pop up as it went through the letters, but the website didn't appear to receive that information (nothing appeared after the colons). I think chrome's auto-fill relies on popups that don't actually input your info into the form until you hit enter. Whereas Safari just directly inputs your info into the form.

@Anonymous, Tom: I believe this may be a WebKit issue and not just Safari. While it is difficult to confirm now, I suspect this technique did in fact affect Chrome. Had some discussions with Google a while back surrounding this topic and recall them finding/fixing something, but I don't really get all the details straight. Will have to find an older Chrome version somewhere to confirm...

@Harryf: good find, that is vaguely similar and potentially offers a way to make this more efficient.

@klkl: it does, sorta, but getting it to work is more difficult than it should be. At least for me. :)

Very good implementation. I love it! By the way, I think you already knew about it based on:http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/Are these issues the same things?

@Soroush: related, but not identical. that post / technique was leveraged using XSS... this technique uses keyboard event simulation and gets very browser specific. Often enough this sort of research takes years to fine tune and get straight.

JG, great tweet! This type of infringement as well as WiFi spying, i.e. data capture over unsecure networks, is on the rise. We at SwissDisk give free secure, end-to-end encrytped accounts to anyone who wants to keep their private info private. Watch your settings people! Stay safe out there in the wild wireless world aka the www.

Maybe I'm not thinking this through, but you can get a lot of information through publicly-available information about your IP address. MaxMind and other geolocation services have pretty granular information about where IPs are located. Not to mention that ARIN makes available who owns a particular IP, and if you're surfing from work, the owner of the IP you're on will very likely be your employer. And, most sites log the IPs of their visitors. So, it seems bad to leak info from your address book, but just because you don't doesn't mean the sites don't know where you are or potentially where you work.

I'm on Safari 5, the example "exploit" code you linked went through A - Z for each field and didn't get any info. All fields blank. I have Autofill on, I have a "Me" card in my Address Book. I can Autofill my info when I'm on a website. So what gives? Maybe I'm misreading your post, but I'm not seeing any "exploit" here.

I had exactly the same result as Anonymous up there -- on Safari 5, autofill on, "me" card selected, works on sites I frequent, zilch on the proof of concept. This may work on v4, but it looks to me like v5 already has this patched.

I seem to recall that Autofill was disabled by default in Safari. Is that still the case?

Regardless, I've disabled that particular preference.

Is there a selective script blocker out for Safari yet? I'd prefer a whitelist, since I don't find JavaScript to be much of a necessity for the majority of sites I visit (much like Flash). However, it would be nice to enable it for a few trusted sites.

If Apple doesn't want to acknowlege this issue, that's quite alright. Because it's now the top item in Googles "How to of the Day." Hence, about 1/2 billion people worldwide know about it now. Good job, Jeremiah!

Unfortunately too many companies care little about privacy - Take amazon.co.uk, it uses information to display what you previously browsed on their web site even when you haven't logged on. Any user ofthe computer can see your browse history.

This only works if you've entered that data into the address book, and then the site owners would have to extract it using javascript, so if you run things like noscript (or just javascript disabled), this is a non-issue.

@book publishers: Yes I did, over a month ago. Two emails, but not a word of confirmation or action ever came of it.

@Anonymous: Is NoScript available for Safari? And most OS X users have a "me" card as a result of the registration process.

@Anonymous: Ideally all auto-complete preferences should be disabled. The data contained within is hard, but not impossible to collect.

@PS: this data can absolutely be stolen and transferred back to the website. I didn't put in that code on purpose, but it is indeed really easy. On the invisibility, the only reason it is visible is for demonstration purposes. A little bit of CSS opacity does the trick.

Thanks for your replies. To me, this looks more like a problem with JS being able to things it shouldn't be allowed to do, such as sending the data without user interaction.

Autofill by itself is a great tool for me. Almost every day, I find myself requesting product information from companies who requires me to fill in a form beforehand. Having the form fill itself automatically is a real time saver.

Simply set input style to "margin-left: -500px", include MooTools (http://ajax.googleapis.com/ajax/libs/mootools/1.2.4/mootools-yui-compressed.js) and put following code before the body closing tag (in script tags):window.addEvent('domready', function(){$('mine').addEvent('submit', start());}); to make the script autostart. With this snippet, you can't even realize, that your data has been sent.

Fortunately any AutoFill data starting with a number, such as phone numbers or street addresses, could not be obtained because for some reason the data would not populate in the text field.

What if the script not only sent A-Z but also 1-9 (and "(")? Would that flush out Phone Numbers and Addresses? Since it is triggering on the first character of the field, the failure to send a number would seem to me to explain the "safety" of these fields.

@anonymous: I tried entering numbers into the keyboard simulation, but for some reason any string data beginning with a number wouldn't populate in the form field. So I just took the numbers out of the loop for speed purposes. But don't worry, there is another technique that is much faster to pull all the data out -- numbers included. :)

I think it's not a high critical issue, however it's good for everyone to know issues like that,Actually malware authors looking for such alike delicate problems to do something malicious, btw, it's cool .

I've been using google chrome for a while but then i had to recover my pc and when i downloaded it again when i search in the toolbar where u put in websites it takes me to yahoo instead of google. how can i change that so when i write something it takes me automatically to google??

do you want to study in abroad today or in the next intake. we are the best and top rated study abroad consultancies in usa foreign education consultants in hyderabad india with good visa assurance.we help you in filing the f1 visa for you in very less time. we are also help you with information needed to apply for the college university.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!